Zed Attack Proxy (ZAP) is a free, open-source penetration tool for testing web applications. ZAP runs as a “man-in-the-middle proxy” between the tester’s browser and the web app. You can use ZAP to run penetration testing to simulate a malicious external attack and use the results to protect your app from unauthorized access and denial-of-service attacks.
Scan policy types
STO supports the following scan policy types for ZAP:
orchestratedScan— A Security step in the pipeline runs the scan and ingests the results. This is easier to set up and supports scans with default or predefined settings.
ingestionOnly— Run the scan in a Run step, or outside the pipeline, and then ingest the results. This is useful for advanced workflows that address specific security needs. See Ingest scan results into an STO pipeline.
product_config_name— Specify one of the following:
standard(scanMode = active, scanType = standard)
attack(scanMode = active, scanType = attack)
quick(scanMode = active, scanType = standard, quickMode = true)
instance_identifier— The target Id that will appear in the Test Targets page of the Harness UI.
instance_environment— The instance environment, such as
instance_domain— The app domain to scan, for example
instance_protocol— The protocol of the site to scan. Generally this is
instance_path— Specify if the app URL includes a path beyond the domain. If you want to scan
https://app.my-domain.com/myModule/myApp, the instance path is
instance_port— Specify if the site is accessed using a non-default port.